RE: Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi wrote on 2009-05-21:
> I googled the error message, but did not find anything conclusive. Also, I
> am running a Shibboleth 2.0 Daemon and have another IdP from InCommon that
I
> am able to connect with fine.

RE: Shibbolet Unknown or Unusable Identity Provider Error

Thanks! For the response, I found the solution there, but this has
resulted in another question. I have a Shibboleth2 SP setup
authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
backward compatible, but I did not find any documentation for this?
Currently my Shibboleth2.xml looks like the following:

Sohail Bashadi wrote on 2009-05-21:
> I googled the error message, but did not find anything conclusive.
Also, I
> am running a Shibboleth 2.0 Daemon and have another IdP from InCommon
that
I
> am able to connect with fine.

RE: Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi wrote on 2009-05-22:
> Thanks! For the response, I found the solution there, but this has
> resulted in another question. I have a Shibboleth2 SP setup
> authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
> backward compatible, but I did not find any documentation for this?

Documentation for doing what specifically? It just works, unless you make
changes to things that break its behavior.

> Currently my Shibboleth2.xml looks like the following:

You're making unnecessary changes, though it isn't going to hurt anything to
comment out the SAML 2 request plugin. The out of the box settings are fine
for handling SAML 1 and 2 at the same time.

The usual cause for this is an incoming SAML assertion/response from an
issuer for which the SP has no metadata loaded. This means either the
metadata is wrong, or the IdP in question is using the wrong entityID in
its configuration, so the URI passed to the SP doesn't match what it
expects.

More specific information is usually available from the shibd.log file.

Sohail Bashadi wrote on 2009-05-22:
> Thanks! For the response, I found the solution there, but this has
> resulted in another question. I have a Shibboleth2 SP setup
> authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
> backward compatible, but I did not find any documentation for this?

Documentation for doing what specifically? It just works, unless you
make
changes to things that break its behavior.

> Currently my Shibboleth2.xml looks like the following:

You're making unnecessary changes, though it isn't going to hurt
anything to
comment out the SAML 2 request plugin. The out of the box settings are
fine
for handling SAML 1 and 2 at the same time.

Those are two different ends of the process. You have to be issuing a
request in between because the second one is an indicator that you don't
have metadata for the IdP in question (which is identifying itself as a
dummy IdP, apparently).

For it to send a request in the first place, you either have metadata, which
makes no sense here, or you're pointing at a WAYF or something like that.

> Not sure, how I would go about setting up my Shibboleth2.xml to issue a
> legacy request?

RE: Shibbolet Unknown or Unusable Identity Provider Error

In combination with the config snippet you posted, I think what's probably
happening is you're routing the request directly to an IdP that's in the
InCommon metadata, and it's sending you a bogus response with an invalid
entityID in it. So it's an IdP issue, as you suggested.

In combination with the config snippet you posted, I think what's
probably
happening is you're routing the request directly to an IdP that's in the
InCommon metadata, and it's sending you a bogus response with an invalid
entityID in it. So it's an IdP issue, as you suggested.